Forum Discussion
CirrusSend Attackers IP to another system via API
Cumulonimbussend POST method should use the iRules sideband method. The difficulty is whether your server POST does not require username, password or Token authentication about F5?
firstly, F5 whether can ping NGFW and telnet NGFW 80(assume NGFW api service port is 80)?
secondly, if F5 can not telnet NGFW 80, F5 need to add network route to NGFW, make sure F5 can telnet NGFW 80
here is the code, NGFW(example NGFW ip is 10.0.0.10, api service port is 80) with no authentication for POST
when ASM_REQUEST_DONE priority 500 {
set asm_ip [ASM::client_ip]
set asm_json "\{\"Client_address\":$asm_ip\}"
set content_length [string length $asm_json]
set data "POST /sample/post/json HTTP/1.0\r\nHost: test.com\r\nContent-type: application/json\r\nContent-Length: ${content_length}\r\n\r\n${asm_json}"
if { [catch {connect -time 1000 -idle 30 -status conn_status 10.0.0.10:80} conn_id] == 0 && $conn_id ne "" } {
log local0. "Connect returns: $conn_id and conn status: $conn_status"
set send_bytes [send -timeout 1000 -status send_status $conn_id $data]
log local0. "Sent $send_bytes with status $send_status"
close $conn_id
return
} else {
log local0. "Connection could not be established to NGFW"
}
}
Aantatxuwen, thanks! Thats brilliant! Yeah, you're right! Now i facing problem with authentication. Is it possible to:
1. Send first POST request with credentials.
2. Get cookies from response to first POST request.
3. Send second POST request with attacker IP in payload and cookies in headers?
Is it possible to do that in one iRule? Any suggestions?
- xuwen
You'd better give the complete format of curl for calling the api twice, and show the response result of NGFW(curl -v http://xxxx)
Think of two methods. Write your own code to test it:
1. HTTP Super SIDEBAND Requesto
2. Use iRulesLx, node.js send http post api is definitely simpler and faster than tcl
